Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken Link -

Server-side request forgery (SSRF) The main vulnerability in any webhooks service is server-side request forgery (SSRF). An SSRF i... PlanetScale Server Side Request Forgery (SSRF) in webhook functionality

The URL http://169.254.169.254/metadata/identity/oauth2/token is a specific endpoint for the . It allows applications running on Azure Virtual Machines (VMs) to retrieve OAuth 2.0 access tokens without needing to store hardcoded credentials. Server-side request forgery (SSRF) The main vulnerability in

The VM is considered "trusted compute," so it doesn't need a password to get a token. It allows applications running on Azure Virtual Machines

If you found this in production logs and your metadata service is not properly secured, Rotate your keys, invalidate tokens, and audit your Identity and Access Management (IAM) roles immediately. When decoded from URL encoding ( %3A =

When decoded from URL encoding ( %3A = : , %2F = / ), it becomes:

When code runs on a cloud virtual machine, it can "talk" to this IP to get information about itself without needing external credentials. It is a feature designed for convenience, allowing the VM to discover its own role, region, and—most importantly—its . Anatomy of the URL